| Titel | PHPGurukul News Portal v1.0 Cross Site Scripting |
|---|
| Beschreibung | The Django News Management Application contains multiple Stored Cross-Site Scripting (XSS) vulnerabilities through unrestricted file upload functionality. The application fails to properly validate, sanitize, and restrict file types during the upload process across multiple endpoints including profile picture uploads and news post image uploads.
The vulnerability exists in three locations:
http://127.0.0.1:8000/AdminProfile
http://127.0.0.1:8000/AddSubadmin
http://127.0.0.1:8000/ViewSubadmin/9
The application accepts SVG files without content inspection or sanitization. When these files are rendered in the browser (either by viewing admin/subadmin profiles or opening images in new tabs), the embedded JavaScript executes in the security context of any user viewing the content, including other administrators. |
|---|
| Quelle | ⚠️ https://github.com/rsecroot/News-Portal/blob/main/Cross%20Site%20Scripting.md |
|---|
| Benutzer | hackerfactory (UID 85869) |
|---|
| Einreichung | 12.01.2026 18:31 (vor 4 Monaten) |
|---|
| Moderieren | 25.01.2026 18:14 (13 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 342840 [PHPGurukul News Portal 1.0 Profile Pic erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|